As you can see I’ve turned on the debug logging on both containers, but the drone/kubernetes-secrets show no attempts by the other container to access it (I tested it was logging requests that I made with curl) and the drone logs don’t show any errors.
I spend a few minutes looking at the drone source and couldn’t figure out how the env var DRONE_SECRET_ENDPOINT did anything. It seemed like perhaps that code had been removed?
Hey there, sorry about that, the Kubernetes runtime does not yet support global secrets or registry credentials, but I’m actively working on this in the latest sprint. Kubernetes was not originally planned for 1.0, but I gave into scope creep and am doing my best to bring the implementation up to speed as quickly as possible before a 1.0 final
I documented some of the known gaps in Kubernetes in the latest release notes, in the Roadmap section. Once implements, the Kubernetes runtime should have parity with the Docker runtime, or will at least be very close. See 1.0.0-rc.4 release notes
In the meantime, hopefully you can use the built-in secrets as a temporary workaround until the next release is available.
edit: just wanted to follow up that I hope to complete this sprint end of next week, at which point I will tag the next release.
I have also deployed the drone/kubernetes-secrets plugin according to documentation and I see zero requests to it. I was expecting the plugins/docker to push the built image to the repository with credentials out of the k8s secret. Doesn’t seem to work yet in rc-5.
Docker push log tail:
unauthorized: The client does not have permission to push to the repository.
time="2019-02-19T15:44:02Z" level=fatal msg="exit status 1"
@rafi I provided some notes  for troubleshooting the Vault plugin. You should be able to use a similar approach to troubleshoot the Kubernetes secret plugin. I also recommend inspecting the source code to get more details.
I’m trying to use the Kubernetes secrets from the Drone jobs without success. I have deployed the plugin with a pod running the Docker image drone/kubernetes-secrets:latest.
The issue here is that the kubernetes-secrets is trying to get the secrets from the default namespace, and I don’t find anyway to specify the namespace where the secret object is and for which have permissions with the current ServiceAccount.
Here is the log from drone-runner-kube when the Drone job is running and request the secret:
time=“2020-05-12T13:57:21Z” level=debug msg=“secret: external: cannot get secret” error=“kubernetes api: Failure 403 secrets “my-secret” is forbidden: User “system:serviceaccount:toolkit:drone-runner” cannot get resource “secrets” in API group “” in the namespace “default”\n” kind=secret name=my-secret thread=2
Any clue of how to fix this via configuration or something?